Sponsored by..

Monday, 18 September 2017

Malware spam: "Status of invoice" with .7z attachment

This spam leads to Locky ransomware:

Subject:       Status of invoice
From:       "Rosella Setter" ordering@[redacted]
Date:       Mon, September 18, 2017 9:30 am

Hello,

Could you please let me know the status of the attached invoice? I
appreciate your help!

Best regards,

Rosella Setter

Tel: 206-575-8068 x 100

Fax: 206-575-8094

*NEW*   Ordering@[redacted].com

* Kindly note we will be closed Monday in observance of Labor Day *


The name of the sender varies. Attached is a .7z arhive file with a name similar to A2174744-06.7z which contains in turn a malicious .vbs script with a random number for a filename (examples here and here).


Automated analysis of those two samples [1] [2] [3] [4] show this is Locky ransomware. Those two scripts attempt to download a component from:





yildizmakina74.com/87thiuh3gfDGS?
miliaraic.ru/p66/87thiuh3gfDGS?
lanzensberger.de/87thiuh3gfDGS?
web-ch-team.ch/87thiuh3gfDGS?
abelfaria.pt/87thiuh3gfDGS?

An executable is dropped with a detection rate of 19/64 which Hybrid Analysis shows is phoning home to:

91.191.184.158/imageload.cgi (Monte Telecom, Estonia)
195.123.218.226/imageload.cgi (Layer 6, Bulgaria)


.7z files are popular with the bad guys pushing Locky at the moment. Blocking them at your mail perimiter may help.

Recommended blocklist:
195.123.218.226
91.191.184.158



Wednesday, 6 September 2017

QTUM Cryptocurrency spam

This spam email appears to be sent by the Necurs botnet, advertising a new Bitcoin-like cryptocurrency called QTUM. Necurs is often used to pump malware, pharma and data spam and sometimes stock pump and dump.

There is no guarantee that this is actually being sent by the people running QTUM, it could simply be a Joe Job to disrupt operations. Given some of the wording alluding to illegal marketplaces, I suspect this could be the case.

Subject:       Qtum Main Network Launches September 13th, 2017
From:       "Lou Roberson"
Date:       Wed, September 6, 2017 6:37 am
Priority:       Normal


The Blockchain Made Ready for Business
Build Anonymous Decentralized Applications that Simply Work
Executable on mobile devices, compatible with major existing blockchain
ecosystems
TESTNET NOW LIVE!
   
    About
     
The Qtum Foundation is a Singapore based entity that promotes
adoption of the Qtum Blockchain. Project inception began in
March 2016, leading up to a successful crowdsale a year later.
Over 10,000 BTC and 72,000 ETH were raised in less than 5 days,
making Qtum one of the largest crowdfunded projects in history,
at $15.6 million dollars.

Investors received 51,000,000 Qtum tokens which will be
available for withdrawal on September 13, 2017.


The Qtum Foundation plans to be the anonymous blockchain for
business. Development efforts will allow us to market this
platform tovarious industries, such as: Mobile
Telecommunications, Counterfeit Protection, Finance, Industrial
Logistics (shipping, warranty,etc), Manufacturing, P2P Anonymous
Transfers and Anonymous Market Management from phone.
Build anonymous decentralized applications you can trust
     
Smart Contracts that Mean Business
Qtum makes it easier than ever for established sectors and
legacy institutions to interface with blockchain technology.
Create your own tokens, automate supply chain management and
engage in self-executing agreements in a standardized
environment, verified and tested for stability.

   
    Specification

    Total QTUM Supply: 100,000,000
    Block Target: 128 seconds
    Stake Return: ~4 QTUM
    Algorithm: SHA256

     
   
   
    QTUM SPARKNET
   
SPARKNET
          
Sparknet is designed primarily for developers, and as such
documentation at this point will be technical and suited more
for developers.  Testnet tokens do not hold any value and should
not be traded for any monetary instruments. The testnet can be
reset or forked at anytime as deemed necessary for development.

Forum Announcement:
https://bitcointalk.org/index.php?topic=1720632.4220

Release on github:
https://github.com/qtumproject/qtum/releases/tag/testnet-sparknet

Qtum Sparknet Usage and Information: Please see:
https://github.com/qtumproject/qtum/blob/testnet-1/doc/sparknet-guide.md
   
    QTUM SPYNET

Aug 15 The 2nd Qtum Test Network, Skynet, is now live: SKYNET
   
     
Qtum Skynet, the second public testnet for the Qtum blockchain.
All tokens aqcuired during the testnet will cease to exist 
when the mainnet is released which actually has tokens which
hold value. The purpose of the public testnet is to allow
developers to begin testing and developing applications, allow
early adopters to see a preview of how the network will behave,
and for the Qtum development team to run several load tests
which are not directly comparable when done on a private and
controlled network. Qtum Skynet will ideally have the same
consensus features and parameters as the Qtum mainnet.


Qtum Skynet Usage and Information:
Please see:
https://github.com/qtumproject/qtum/releases/tag/testnet-skynet
Please see:
https://github.com/qtumproject/qtum/releases/tag/testnet-skynet-v1.2

As soon as Main Network will be launched, you will be availaible
to build your own applications (DApps) or marketplaces. Fully
scalable and anonymous, so you can easy made any anonymous
marketplace which can be manage from your phone!

Just imagine, your own silkroad made on Qtum blockchain and
managed from your phone with fully anonymous transactions!

    No matter what kind of business you are building, all
transactions will be anonymous, and the network will never
reveal the ip addresses of the applications that are running
on it.

    Even if you sell weapons, drugs, trade in people and are
going to organize a coup d'?tat, you can be sure that you
will remain anonymous.

    Another thing is that it is illegal and sooner or later you
will receive the punishment that you deserve. But everyone
want to know how deep the rabbit hole goes.

    For our part, we can only provide a reliable, scalable and
anonymous ecosystem thanks to which any business can be
built on it and we guarantee that we will do everything
possible to make it sucesfull.

    We give you a choice - "blue pill or red pill"
       
        What Will your choice be?

    So, you have to prepare for Main Network launch  Qtum Custom
Token Walkthrough
   
    CROWDSALE
     
The QTUM token supply will be allocated as follows:

    - 51% of Qtum tokens (51,000,000) will be distributed
through the crowdsale
    - 20% of Qtum tokens (20,000,000 QTUM) will be distributed
among founders, early backers and the development team
    - 29% of Qtum tokens (29,000,000 QTUM) will be allocated to
community initiatives concerning business development, as
    well as academic research, education, and market expansion

For a more detailed overview of QTUM token allocation visit our
website: https://qtum.org/en/crowdsale#question-2
   
    Exchanges
     
Coinone:   https://coinone.co.kr/exchange/trade/qtum/
Yunbi: https://yunbi.com/markets/qtumcny
Bittrex: https://bittrex.com/Market/Index?MarketName=BTC-QTUM
https://bittrex.com/Market/Index?MarketName=ETH-QTUM
CHBTC: https://www.chbtc.com/qtum
BTER: https://bter.com/trade/qtum_cny
https://bter.com/trade/qtum_eth
https://bter.com/trade/qtum_btc

Yubi: https://www.jubi.com/coin/qtum/
Yuanbao:   https://www.yuanbao.com/trade/qtum2cny
Binance:   https://www.binance.com/trade.html?symbol=QTUM_ETH
Allcoin: https://allcoin.com/markets/QTUM-BTC/0/
BTC9: https://btc9.com/trade/22
Biduobao: https://www.biduobao.com/market-qtum.html
Liqui: https://liqui.io/#/exchange/QTUM_USDT
https://liqui.io/#/exchange/QTUM_ETH     
https://liqui.io/#/exchange/QTUM_BTC
Cryptopia: https://www.cryptopia.co.nz/Exchange?market=QTUM_BTC
COSS: https://exchange.coss.io/pair/qtum-eth
https://exchange.coss.io/pair/qtum-btc
HitBTC: https://hitbtc.com/exchange/QTUM-to-ETH/size
Novaexchange: https://novaexchange.com/market/BTC_QTUM/
   
    TEAM
   
   
     
See the full team at: https://qtum.org/en/team

    We are looking for developers to build the next generation
DApps on top of Qtum and invite you all to give our testnet
a try.

    We are always on the lookout to enrich our very talented
team, the next team member can be you!

    SEND YOUR RESUME TO OUR EMAIL: CAREERS@QTUM.ORG

    currently 4500+ Chinese community members

As far as I can see, there are no malicious links anywhere. This one can probably be marked down as an annoyance, and it should be easy enough to block or filter.

Tuesday, 5 September 2017

Malware spam: "Scanning" pretending to be from tayloredgroup.co.uk

This spam email pretends to be from tayloredgroup.co.uk but it is just a simple forgery leading to Locky ransomware. There is both a malicious attachment and link in the body text. The name of the sender varies.

Subject:       Scanning
From:       "Jeanette Randels" [Jeanette.Randels@tayloredgroup.co.uk]
Date:       Thu, May 18, 2017 8:26 pm

https://dropbox.com/file/9A30AA
--
Jeanette Randels DipFA

Taylored Group
26 City Business Centre
Hyde Street
Winchester
SO23 7TA

Members of the CAERUS Capital Group

www.tayloredgroup.co.uk

Office Number: 01962 826870
Mobile: 07915 612277
email: Jeanette.Randels@tayloredgroup.co.uk

Taylored Financial Planning is a trading style of Jonathan & Carole
Taylor who are an appointed representative of Caerus Financial Limited,
Building 120, Windmill Hill Business Park, Swindon, SN5 6NX which is authorised
and regulated by the Financial Conduct Authority.

Email communications are not secure, for this reason Taylored
Financial Planning cannot guarantee the security of the email or its contents or
that it remains virus free once sent. This email message is strictly
confidential and intended solely for the person or organisation to who it is
addressed. It may contain privileged and confidential information and if you are
not the recipient, you must not copy, distribute or take any action in
reference to it. If you have received this email in error, please notify us as
soon as possible and delete the message from your system. 
Despite having what appears to be a Dropbox URL, the link actually goes to another site completely and downloads a .7z archive file containing a malicious VBS script. Attached is another .7z archive file with a slightly different evil VBS script inside.

Detection rates for the scripts are about 13/58 [1] [2]. Automated analysis [3] [4] [5] [6]  shows Locky ransomware attempting to phone home to the following locations:

91.234.35.170/imageload.cgi (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
109.234.35.75/imageload.cgi (McHost.ru / VDSINA, Russia)

McHost is such a well-known purveyor of toxic crap that I recommend you block all of their ranges (plus I guess the related VDSINA ones), or even block the entire Webzilla AS35415. You can find a list of the network ranges here. Also thehost.ua also has a lot of crap and I would lean towards blocking whole network ranges.

Recommended minimum blocklist:
91.234.35.0/24
109.234.35.0/24